Provisioning control apparatus and method for provisioning electronic components or devices
Abstract
A provisioning control apparatus is configured to be coupled to a provisioning equipment server, wherein the provisioning equipment server is electrically connectable with one or more electronic devices for provisioning the electronic devices with security sensitive provisioning data. The provisioning control apparatus includes a processor configured to generate a group context for sharing the group context with a first further provisioning control apparatus for creating a group of provisioning control apparatuses. The group context includes a group private key, a certificate for the group private key and a group encryption key used for encryption and/or decryption and the first further provisioning control apparatus is configured to be coupled to the provisioning equipment server. The processor is configured to generate the security sensitive provisioning data based on the group context. The provisioning control apparatus includes a communication interface configured to provide the security sensitive provisioning data to the provisioning equipment server.
Claims
exact text as granted — not AI-modifiedThe invention claimed is:
1 . A root or parent provisioning control apparatus configured to be coupled to a provisioning equipment server, the provisioning equipment server being electrically connectable with one or more electronic devices for provisioning the electronic devices with security sensitive provisioning data, wherein the root or parent provisioning control apparatus comprises:
a processor configured to generate a group context for sharing the group context with a first further provisioning control apparatus for creating a group of provisioning control apparatuses, wherein the first further provisioning control apparatus is a child provisioning control apparatus, wherein the group context comprises a group private key, a certificate for the group private key and a group encryption key used for encryption and/or decryption and wherein the first further provisioning control apparatus is configured to be coupled to the provisioning equipment server; wherein the processor is further configured to generate the security sensitive provisioning data based on the group context, wherein the root or parent provisioning control apparatus further comprises a communication interface configured to provide the security sensitive provisioning data to the provisioning equipment server, wherein the certificate for the group provate key of the group context chains back to a root certificate of an entity supplying the root or parent provisioning control apparatus and the first further provisioning control apparatus, wherein generating the group context results in a new group certificate chain being created with corresponding private keys, and wherein the communication interface is further configured to receive one or more wrapped OEM keys from a remote OEM server and wherein the processor is configured to unwrap the one or more wrapped OEM keys based on the group context and to generate the security sensitive provisioning data based on the one or more OEM keys.
2 . The root or parent provisioning control apparatus of claim 1 , wherein the communication interface is further configured to provide the group context to the first further provisioning control apparatus.
3 . The root or parent provisioning control apparatus of claim 1 , wherein the one or more OEM keys comprise an OEM certificate.
4 . The root or parent provisioning control apparatus of claim 1 , wherein the communication interface is further configured to provide the group context to a security server for generating a proxy provisioning control apparatus on the security server, wherein the proxy provisioning control apparatus is configured to provide the group context to a second further provisioning control apparatus for enrolling the second further provisioning control apparatus for the group of provisioning control apparatuses, wherein the second further provisioning control apparatus is configured to be coupled to the provisioning equipment server.
5 . The root or parent provisioning control apparatus of claim 1 , wherein the processor is further configured to assign an identity to the first further provisioning control apparatus, wherein the identity of the first further provisioning control apparatus is indicative of the root or parent provisioning control apparatus and the first further provisioning control apparatus.
6 . The root or parent provisioning control apparatus of claim 5 , wherein the processor is further configured to assign an identity to a second further provisioning control apparatus, wherein the identity of the second further provisioning control apparatus is indicative of the root or parent provisioning control apparatus and the second further provisioning control apparatus.
7 . A child provisioning control apparatus configured to be coupled to a provisioning equipment server, the provisioning equipment server being electrically connectable with one or more electronic devices for provisioning the one or more electronic devices with security sensitive provisioning data, wherein the child provisioning control apparatus comprises:
a communication interface configured to receive a group context from a first further provisioning control apparatus for creating a group of provisioning control apparatuses, wherein the first further provisioning control apparatus is a root or parent provisioning control apparatus, wherein the group context comprises a group private key, a certificate for the group private key and a group encryption key used for encryption and/or decryption; and a processor configured to generate the security sensitive provisioning data based on the group context,
wherein the communication interface is further configured to provide the security sensitive provisioning data to the provisioning equipment server,
wherein the certificate for the group private key of the group context chains back to a root certificate of an entity supplying the child provisioning control apparatus and the first further provisioning control apparatus, wherein generating the group context results in a new group certificate chain being created with corresponding provate keys, and
wherein the communication interface is further configured to receive one or more wrapped OEM keys from a remote OEM server and wherein the processor is configured to unwrap the one or more wrapped OEM keys based on the group context and to generate the security sensitive provisioning data based on the one or more OEM keys.
8 . The child provisioning control apparatus of claim 7 , wherein the one or more OEM keys comprise an OEM certificate.
9 . The child provisioning control apparatus of claim 7 , wherein the communication interface is further configured to provide the group context to a security server for generating a proxy provisioning control apparatus on the security server, wherein the proxy provisioning control apparatus is configured to provide the group context to a second further provisioning control apparatus for enrolling the second further provisioning control apparatus in the group of provisioning control apparatuses, wherein the second further provisioning control apparatus is configured to be coupled to the provisioning equipment server for provisioning the electronic devices with the security sensitive provisioning data.
10 . The child provisioning control apparatus of claim 7 , wherein the communication interface is further configured to provide the group context to a second further provisioning control apparatus for enrolling the second further provisioning control apparatus in the group of provisioning control apparatuses, wherein the second further provisioning control apparatus is configured to be coupled to the provisioning equipment server for provisioning the electronic devices with the security sensitive provisioning data.
11 . The child provisioning control apparatus of claim 10 , wherein the communication interface is further configured to receive an identity from the first further provisioning control apparatus, wherein the identity of the child provisioning control apparatus is indicative of the child provisioning control apparatus and the first further provisioning control apparatus.
12 . The root or parent provisioning control apparatus of claim 11 , wherein the processor is configured to assign an identity to the second further provisioning control apparatus, wherein the identity of the second further provisioning control apparatus is indicative of the child provisioning control apparatus, the first further provisioning control apparatus and the second further provisioning control apparatus.
13 . A provisioning system comprising:
a root or parent provisioning control apparatus, which includes: a processor configured to generate a group context for sharing the group context with a child provisioning control apparatus for creating a group of provisioning control apparatuses, wherein the child provisioning control apparatus is a first further provisioning control apparatus, wherein the group context comprises a group private key, a certificate for the group private key and a group encryption key used for encryption and/or decryption and wherein the child provisioning control apparatus is configured to be coupled to the provisioning equipment server; wherein the processor is further configured to generate the security sensitive provisioning data based on the group context, wherein the root or parent provisioning control apparatus further comprises a communication interface configured to provide the security sensitive provisioning data to the provisioning equipment server; wherein the child provisioning control apparatus is according to claim 8 ; and a provisioning equipment server being electrically connectable with one or more electronic devices for provisioning the one or more electronic devices with the security sensitive provisioning data, wherein the certificate for the group private key of the group context chains back to a root certificate of an entity supplying the root or parent provisioning control apparatus and the child provisioning control apparatus, wherein generating the group context results in a new group certificate chain being created with corresponding private keys, and wherein the communication interface is further configured to receive one or more wrapped OEM keys from a remote OEM server and wherein the processor is configured to unwrap the one or more wrapped OEM keys based on the group context and to generate the security sensitive provisioning data based on the one or more OEM keys.
14 . A method for operating a root or parent provisioning control apparatus configured to be coupled to a provisioning equipment server, the provisioning equipment server being electrically connectable with one or more electronic devices for provisioning the one or more electronic devices with security sensitive provisioning data, wherein the method comprises:
generating a group context for sharing the group context with a first further provisioning control apparatus for creating a group of provisioning control apparatuses, wherein the first further provisioning control apparatus is a child provisioning control apparatus, wherein the group context comprises a group private key, a certificate for the group private key and a group encryption key used for encryption and/or decryption and wherein the first further provisioning control apparatus is configured to be coupled to provisioning equipment server; generating the security sensitive provisioning data based on the group context; and providing the security sensitive provisioning data to the provisioning equipment server, wherein the certificate for the group private key of the group context chains back to a root certificate of an entity supplying the root or parent provisioning control apparatus and the first further provisioning control apparatus, wherein generating the group context results in a new group certificate chain being created with corresponding private keys, and wherein the communication interface is further configured to receive one or more wrapped OEM keys from a remote OEM server and wherein the processor is configured to unwrap the one or more wrapped OEM keys based on the group context and to generate the security sensitive provisioning data based on the one or more OEM keys.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.